Incorrect Authorization
CVE-2024-27086
Summary
The MSAL library enabled the acquisition of security tokens to call protected APIs. MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 through 4.59.0, and 4.60.0 through 4.60.2 are impacted by a low severity vulnerability. A malicious application running on a customer Android device can cause local Denial-of-Service (DoS) attack against applications that were built using MSAL.NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration. As a workaround, a developer may explicitly mark the MSAL.NET activity non-exported.
- LOW
- LOCAL
- LOW
- UNCHANGED
- REQUIRED
- LOW
- NONE
- LOW
CWE-863 - Incorrect Authorization
Authorization is a security mechanism performed by an application to grant or deny access to the requested resources by verifying the privileges of the user. When an application lacks effective authorization mechanisms, it enables unauthorized users to gain unintended privileges and illegitimate access to resources. Such a vulnerability may result in exposure of sensitive information, denial of service, arbitrary code execution, and complete system takeover.
References
Advisory Timeline
- Published
